Archive for March 2017

Cerber Learns to Evade Machine Learning

The Cerber family of ransomware has added a new trick: It can now evade detection by machine learning solutions.

According to Trend Micro, a new loader has been added that is designed to hollow out a normal process, where the code of Cerber is instead run.

Cerber is still being delivered via email, with malicious links to a self-extracting Dropbox archive that downloads the ransomware. The new loader has features that check if the target is running in a virtual machine (VM), if it is running in a sandbox, if certain analysis tools are running on the machine or if certain AV products are present. If any of these checks fail, the malware stops running.

Meanwhile, “the main payload of the loader is the injection of code in another process. In this case, the injected code is the whole Cerber binary, and it can be injected into [normal processes],” the firm said, in an analysis. “The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches—i.e., methods that analyze a file without any execution or emulation….Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either.”

For every new malware detection technique, an equivalent evasion technique is created out of necessity.

“This is a typical game of cat and mouse,” said Travis Smith, senior security research engineer for Tripwire, via email. “Criminals make an innovation in their techniques, so defenders follow suit. Once the criminal’s activities are being slowed by defensive measures, they continue to change their tactics. As far as the seriousness of these evasion techniques, they pose no additional risk to the end-user when it comes to protecting themselves. The best practices continue to follow safe internet browsing habits and back up critical files in the case of an infection.”

This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection, Trend Micro stressed.

“Cerber has its weaknesses against other techniques,” the firm said. “For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”

CyberFirst Girls' Hacking Competition Showcases Teen Skills

In a positive development for encouraging female participation in cybersecurity, the UK’s CyberFirst Girls’ competition saw 37 young ladies representing 10 teams displaying impressive code-cracking abilities during the national final earlier this week.

The teenage cyber-sleuths travelled to London from all over the country as part of the event organized by the National Cyber Security Centre, a part of GCHQ. It drew more than 8,000 young women aged 13-15 from across the UK enter online heats in teams of three or four.

The contest was created to raise more awareness of careers in cybersecurity amongst girls, because only 10% of the global workforce is female. It’s part of the UK’s National Cyber Security Strategy (NCSS), announced in November 2016, supported by £1.9bn of transformational investment.

The final transformed the historic Lancaster House, just yards from Buckingham Palace, into a live-action cyber-center to test the girls’ security skills through a series of challenging scenarios. In the final, teams took part in a full-day of digital investigation to unravel a fictional mystery that had seen the fictional Paddock Hill School website hacked.

As they worked their way through the challenges to find clues to unravel the hack, they were supported by female tech industry champions Miriam González (Inspiring Girls International’s founder), Dido Harding (TalkTalk’s chief executive), Sian John (Symantec’s chief strategist), Dr Nicola Hodson (Microsoft's general manager of marketing and operations) and Jacqueline de Rojas (TechUK’s president).

They then presented their findings to a panel of Industry Champions, featuring Dido Harding, Miriam González and NCSC directors Alison Whitney and Chris Ensor, where the Lancaster Girls’ Grammar School were the eventual winners, after finding a total of 28 cyber-clues about the hackers’ identity.

“All of the girls were very worthy finalists—the standard of work was incredibly high and we were very impressed with their work,” said Alison Whitney, the deputy director for digital services at the NCSC. “Having worked in cybersecurity for over a decade, I would recommend working in cybersecurity to any young woman hoping to make a positive impact on the world. Cyber security is increasingly important to help people live and work online, and we hope CyberFirst Girls will help young women develop skills that could lead to a dynamic and rewarding career.”

The winning team took home individual prizes, and their school will receive IT equipment to the value of £1,000.

Sundown EK Sees a New Dawn

The Sundown exploit kit has matured to position itself as a major player within the exploit landscape.

With new, more significant strategies Sundown has found less obvious ways to attack users and spread malicious content, the Cisco Talos team noted. Talos had previously identified Sundown’s lack of sophistication and the tactic of "hiding in plain sight" last fall.

“Previously Sundown was using numeric subfolders and numeric file names with proper extensions,” Talos researchers said, in a blog. “That has now changed with this newer version of Sundown.”

Also of note is Sundown's approach to compromising systems. Most exploit kits will attempt a single exploit on a system to achieve compromise. Sundown throws its full arsenal at a potential victim—and it’s a large arsenal, with several added exploits, some lifted from the RIG or Angler EKs.

“Typically you will see the IE scripting vulnerability targeted as well as several malicious flash files,” the researchers said. “This approach is noisy but gives Sundown the best chance of successfully compromising endpoints.”

The added, “Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors. The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

One of the most notable updates to the campaign is the use of domain resellers found in one active campaign, focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.

“We repeatedly encountered registrant accounts using the name ‘Stivie Malone’ while investigating Sundown activity,” it said. “There was also a common email address of stiviemalone@gmail[.]com. One thing that made this account interesting was the sheer number of domains the user owned….Looking back historically we have found a total of more than 3,000 domains.”

Looking deeper, the team uncovered a network of domain reselling and a history of bulk purchases of expired or soon-to-expire domains.

“Reselling of domains is a common tactic used by individuals to try and get value out of their already registered domains, especially if they are soon expiring,” the researchers noted. “In the case that the reseller does not plan to renew them, reselling allows them to get a bit of residual value out of them.

The price point of these domains fall between $0.10 and $0.60.

“For a relatively small price and using a digital currency these actors are able to obtain a large amount of domains,” the researchers said.

While Talos was working with GoDaddy on getting the domains seized, the activity from these accounts for Sundown effectively stopped and the actor pivoted.

“[They] had moved to full privacy protection mode,” researchers said. “Additionally, they were no longer leveraging GoDaddy in anyway instead moved to a registrar based out of Europe. Finally the user accounts found on namepros were also no longer being used and there was no additional activity seen even related to the sale of the existing domains.”

This suggests that an end goal in fighting EKs could be making the cost of entry outweigh the potential monetary reward for the criminal activity.

“Shutting down these domains and killing the registrant accounts is not going to stop these individuals forever, but it will force them to change and spend additional capital setting up new infrastructure from which to host their malicious content,” Talos concluded.

Law Firms Face Increase in Attacks

A quarter of all legal firms have been the subject of a cyber-attack.

According to the NatWest 2017 Legal Benchmark Report, London-based firms in particular suffered at the hands of cyber-criminals, with 36% affected, while 24% have experienced a fraud-related loss or cyber-attack in the last year.

Steve Arundale, head of commercial professional sectors at NatWest, said in the report that NatWest remains committed to supporting legal firms "in developing a successful and sustainable business."

In an email to Infosecurity, Jonathan Armstrong, partner at Cordery, said that law firms generally are the target for an increasing number of attacks. “There are a number of fraud scams doing the rounds and lawyers – especially those involved in M&A and real estate handle a lot of money which makes them special targets,” he said.

“At the same time lawyers are often regarded as the weak link in trying to get client data as the sense is that some are less well protected than their clients. This has been on the ICO's radar for some time but also on the radar of the SRA who regulate Solicitors. It's clear that lawyers need to take their responsibilities seriously both for their own business and that of their clients.”

According to PwC’s 2016 Law Firms Survey, 73 of the top 100 firms experienced an attack during the financial year 2015-2016, up from 62 in 2014-15.

Writing for the Law Gazette, Edward Donne, director of Howden, said: “We all have a duty to make these crimes as difficult as possible for the perpetrators. We would not like to be considered anti-competitive, but, at the same time, complex and valuable transactions need to be undertaken professionals alert to the problems.”

Steven Malone, director of security management at Mimecast, added: “The fact that a quarter of law firms have been hit by a cyber-attack or fraud over the last 12 months is bad; but what is worse is that this is only half the story.

“Our research reveals that 20% of UK organizations have experienced impersonation attacks from their legal departments last year – these involve hackers falsely assuming the identity of high level people within an organization. What’s clear is that in addition to traditional threats, businesses must also lookout for these types of attacks as this could affect customers and other key stakeholder without businesses realizing until it’s too late.”

White House Set to Repeal Obama Privacy Laws

The White House has confirmed it will support a new Congressional move to roll back privacy laws drawn up under the Obama administration, effectively allowing ISPs to sell citizens' browsing history to the highest bidder.

The new FCC-led rules effectively subjected broadband providers to the same oversight as telephone firms, meaning they required ISPs to ask customers for an “opt-in” to access app usage and web browsing data, and gave punters an opt-out of agreements to share e-mail addresses, service tier information and the like.

Ironically, as reported by Brian Krebs, those changes haven’t even had a chance to come into effect yet, so little will change on the surface for US consumers, aside from the realization from this whole fiasco that they probably have far too few privacy protections by default.

This week the House of Representatives followed the Senate in voting to nullify FCC rules relating to "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.”

Now the Trump administration has signaled it “strongly supports” the move, meaning the President will sign the bill into law.

It’s a multi-billion dollar win for lobbysist, such as the Data and Marketing Association (DMA).

“The position taken by the DMA was simple: these laws were an overreach of the jurisdiction of the FCC. They would greatly undermine businesses that rely on ISP data as a source of their overall big data initiatives and further complicate the landscape given the opt-out nature of CAN-SPAM,” argued Len Shneyder, VP of industry relations at SendGrid.

“Although the intention to protect Americans’ privacy was a good one, the fact is that more security regulations, protocols and standards will do more to protect consumer privacy than regulating new standards for opt-in.”

The move is in stark contrast to the situation in Europe, where the GDPR looks to impose strict new privacy laws on any firm processing the data of European citizens.

Fake WordPress Plugin Opens Sites to Criminals

A fake WordPress plugin is trending, targeting one of the world’s largest open-source applications in order to allow back-door access to a host of websites.

Dubbed WP-Base-SEO, the plugin is a forgery of a legitimate search engine optimization plugin, called WordPress SEO Tools, according to SiteLock, the firm that originally uncovered the threat. At first glance, the file appears to be legitimate, because it uses native WordPress hook functionality. A closer look, though, reveals its malicious intent in the form of a base64 encoded PHP eval request.

Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and php.net recommends against using it, SiteLock noted. Here, it’s attached as an “action” to the header of the website’s theme. WordPress defines actions as the hooks that the WordPress core launches at specific points during execution, or when specific events occur. Plugins can specify that one or more of its PHP functions are executed at these points, using the Action API. And that means that remote attackers now have back-door access, and can force the site to do their bidding.

"Some versions include an additional hook that runs after each page load as well, which means that anytime the theme is loaded in a browser, the request is initialized," SiteLock noted. It added that researchers have observed that multiple sites have been infected by the malware, but an internet search of the plugin name revealed no information, suggesting that it may be flying under the radar of other malware scanners.

WordPress site administrators should perform a malware scan, as well as update the WordPress core, all themes and plugins to their latest versions. It is also crucial to use strong passwords and reputable plugins.

“If you find a suspicious plugin in your /wp-content/plugins directory, it is best to delete the entire folder and reinstall a clean version of the plugin either in the WordPress admin dashboard or by downloading it directly from WordPress.org,” SiteLock recommended.

Cloud Complexity Leads to Chaotic Security Environments

About one-third of respondents in a survey of RSA attendees describe the state of security monitoring within their organization as “complex and chaotic,” thanks to a lack of visibility into the cloud and proliferating internet of things (IoT) devices.

According to AlienVault’s latest report, many IT professionals are still struggling to monitor the cloud environment effectively, and no wonder: About 39% of respondents use more than 10 different cloud services within their organization, and an additional 21% don’t know how many cloud applications are being used. In addition, 40% state that their IT team is not always consulted before a cloud platform is deployed, meaning that they are unable to offer guidance and advice, or do due diligence on a platform or service.

As a result, a lack of visibility into the cloud is a significant concern for 42%.

The survey also asked participants what concerned them most about cloud security. While malware was rated as the highest concern, with 47% of respondents worrying about it, and 21% are worried about the cloud-based services they use producing “too many logs.” This finding also points to the problems associated with auditing cloud environments in the event of an incident.

That said, the survey results also reveal a major disconnect between respondents’ beliefs and their actions when it comes to cloud security and IoT. For instance, despite concerns, 47% would rather monitor a cloud environment than an on-premises one. Meanwhile, 62% indicate they are worried about IoT devices in their environment, yet 43% of respondents say their company does not monitor IoT network traffic at all. An additional 20% aren’t sure if they do or do not. Amidst this, 45% believe IoT benefits outweigh the risks.

“The driving force behind cloud and IoT is the availability and analysis of information, but they must be managed and monitored in the right way,” said Javvad Malik, security advocate at AlienVault. “If data is misused, or inadequately protected, the consequences can be severe. According to the survey findings, many companies are using these impacting technologies to reap the technological and business benefits they provide, but they are doing so without proper monitoring—leaving their company at greater risk of attack.”

One-Third of All Malware Goes Undetected by AV

In the fourth quarter of 2016, about 30% of all malware was classified in new research as “zero day,” and was not caught by legacy antivirus solutions.

WatchGuard Technologies’ inaugural Quarterly Internet Security Report postulates that the finding indicates that cybercriminals’ capability to automatically repack or morph their malware has outpaced the AV industry’s ability to keep up with new signatures.

The study also uncovered a theme of old threats becoming new again. First, the results show that macro-based malware is still very prevalent. Despite being an old trick, many spear-phishing attempts still include documents with malicious macros, and attackers have adapted their tricks to include Microsoft’s new document format. Second, attackers still use malicious web shells to hijack web servers. PHP shells are alive and well, as nation-state attackers have been evolving this old attack technique with new obfuscation methods.

JavaScript is a popular malware delivery and obfuscation mechanism. The results indicate a rise in malicious JavaScript in the fourth quarter, both in email and over the web.

The report meanwhile found that most network attacks target web services and browsers. In fact, 73% of the top attacks target web browsers in drive-by download attacks.

Interestingly, the top network attack, Wscript.shell Remote Code Execution, almost entirely affected Germany alone. Breaking it down country by country, that attack targeted Germany 99% of the time.

WatchGuard’s Internet Security Report is based on anonymized data from more than 24,000 active WatchGuard unified threat management appliances worldwide, and the raw numbers show that attacks are up: These appliances blocked more than 18.7 million malware variants in the fourth quarter, which averages to 758 variants per participating device. They also blocked more than 3 million network attacks, which averages to 123 attacks per participating device.

“Our Threat Lab has been monitoring the most prevalent security industry threats and trends for years and now with the addition of the Firebox Feed—anonymized threat analytics from Fireboxes deployed around the world—we have firsthand, acute insight into the evolution of cyberattacks and how threat actors are behaving,” said Corey Nachreiner, CTO at WatchGuard. “Each quarter, our report will marry new Firebox Feed data with original research and analysis of major information security events to reveal key threat trends and provide defense best practices.”

New Malware Lets Attackers Encrypt 'Hand-Picked' Systems & Files

A new type of ransomware dubbed WYSIWYE (What You See Is What You Encrypt) has been detected by researchers at PandaLabs.

As explained in a post on the firm’s website, the standard ransomware technique cyber-crooks employ is to gain access to a computer and then imply execute the corresponding malware automatically to start encryption and ultimately display the ransom message.

However, in an analysis of a recent intrusion, PandaLabs discovered a more personalized type of malware generator which allows attackers “the chance to customize the malware using a user-friendly interface prior to launching it. Making it even easier for those with little technical knowledge to target companies.”

With this customized attack, PandaLabs adds, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.

“Usually ransomware has its own configuration, it only has to be executed and it will work in the same way everywhere,” Luis Corrons, PandaLabs technical director, Panda Security, told Infosecurity. “This one is designed for more custom attacks, mainly in corporate networks. In all cases we have studied (talking about this particular attack) attackers are gaining access to the different corporate networks after a brute-force attack against the remote desktop connection. Then they manually drop the ransomware, run it and can configure it in different ways depending on each victim, carefully picking what they want to encrypt.”

According to Corrons, this shows how cyber-criminals are evolving and changing their methods of attack: “Of course we still see the typical automated/unattended attacks, however it is noticeable the amount of hacking attacks to corporate networks, where cyber-criminals are fighting in real time against the defenses in place, bypassing one by one and changing strategies and adapting every time they are blocked.”

For users looking to protect themselves and avoid falling victim to this new attack technique, Corrons had the following advice:

• For all these attacks through RDP, never have remote desktop connections opened to the internet in your corporate network. If it is needed you can setup a VPN so users first have to access the internal network and afterwards they can use the remote desktop
• Always change the default port (TCP 3389), and block all connections in the corporate firewall to this port

New Mirai Variant Hits Target with 54-hour DDoS

Security researchers believe they have discovered a new version of the infamous IoT-powered Mirai botnet which was observed carrying out a mammoth 54-hour DDoS attack on a US university last month.

The attack was notable not only for its duration but also because it came at the application-layer rather than previous network-layer Mirai campaigns, according to Imperva Incapsula security researcher, Dima Bekerman.

“The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests,” he explained.

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet.”

It appears as if the usual suspects of CCTV cameras, DVRs and routers were compromised to power the DDoS attacks.

“While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,” Bekerman continued.

“We also noticed that the DDoS bots used in the attack were hiding behind different user-agents than the five hardcoded in the default Mirai version. This, and the size of the attack itself, led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks.”

That 54-hour duration puts this attack “in a league of its own”, according to Bekerman, with most app-layer blasts lasting no longer than six hours.

The attack itself was launched from over 9700 IP addresses around the world, with most devices located in the US (18%), Israel (11%) and Taiwan (11%).

This isn’t the first new variant of Mirai spotted by eagle-eyed researchers, with cyber-criminals apparently looking to adapt the malware to increase its range.

Last December over 100,000 TalkTalk and Post Office broadband customers were taken offline after their routers were targeted by a Mirai variant exploiting a vulnerability in the TR-069 remote management protocol.

Then earlier this year researchers discovered a previously known Windows botnet being used to spread Mirai to Linux hosts.